Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Charting a percentage

a212830
Champion
‎06-01-2012 08:40 AM

Hi,

How would I chart a percentage of values? I want to count the number of events that match a criteria, and then display in a chart the percentage that match a certain criteria.

Tags (2)
Reply
1 Solution
Solved! Jump to solution
Solution

lguinn2
Legend
‎06-01-2012 09:39 AM

Try

yoursearchhere |
stats count by criteria | 
eventstats sum(count) as totalCount |
eval percentage=round(count*100/totalCount,1) |
fields - count totalCount |
chart max(percentage) by criteria

In the search above max(percentage) is really sort of a no-op, as there is only one percentage for each criterion. But you can't just give a field name for the Y argument, you have to give a function...

View solution in original post

Reply
Solved! Jump to solution
Solution

lguinn2
Legend
‎06-01-2012 09:39 AM

Try

yoursearchhere |
stats count by criteria | 
eventstats sum(count) as totalCount |
eval percentage=round(count*100/totalCount,1) |
fields - count totalCount |
chart max(percentage) by criteria

In the search above max(percentage) is really sort of a no-op, as there is only one percentage for each criterion. But you can't just give a field name for the Y argument, you have to give a function...

Reply
Solved! Jump to solution

ChrisG
Splunk Employee
Splunk Employee
‎06-04-2012 01:43 PM

And, just for completeness...eventstats is discussed in http://docs.splunk.com/Documentation/Splunk/4.3.2/User/UseReportingCommands, and the reference topic for it is http://docs.splunk.com/Documentation/Splunk/4.3.2/SearchReference/Eventstats.

Reply
Solved! Jump to solution

lguinn2
Legend
‎06-04-2012 01:21 PM

eventstats calculates a statistic (same functions as stats) - and then adds the results as a field to every event. Just do this and you will be able to see it better:

yoursearchhere |
stats count by criteria |
eventstats sum(count) as totalCount

The totalCount field is the same in every event, because it is the overall total.

Reply
Solved! Jump to solution

a212830
Champion
‎06-01-2012 06:53 PM

Thanks. Looks like it did the trick - I'm looking at my training manuals and reference sheets, and I don't see eventstats listed anywhere. What does that do?

0 Karma
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...